I'd like to set-up a front-end one one host that authenticates with a back-end on another host. Assuming that the domains are:
Will Safari allow api.example.com to set a cookie in the browser if the request was made while the user was at www.example.com?
The answer is no: Safari/WebKit considers sites that share a 2nd-level domain (i.e., example.com) to be 1st-party.
We tested this on some sites hosted on our local machines using dummy domains (www.example.localdev and api.example.localdev) and Safari treated them as 3rd-party. This meant we could not use our client-side site (www) to authenticate a user via our backend (api).
However, upon moving to staging instances on the internet with actual domains (www.example.com and api.example.com) they were treated as 1st-party and everyone went home happy.
WebKit's tracking protection describes supporting the subdomain strategy:
First and third-party. If news.example is shown in the URL bar and it loads a subresource from adtech.example, then news.example is first-party and adtech.example is third-party. Note that different parties have to be different websites. sub.news.example is considered first-party when loaded under news.example because they are considered to be the same site.
But it appears they also adhere strictly to their description of a website as "a registrable domain including all of its subdomains."